Alerting

How to display the scheduled job start time and current time in the alert email subject line?

marellasunil
Communicator

Hi,
I would like to display the job schedule time in the alert subject line.
For example, I have an alert which is running for the last 15 mins, I wanted to display the Job start time, and present time in subject line.

  1. I have tried adding $job.earliestTime$ in the alert subject line but I am getting empty field,
  2. when I tried "$trigger_time$" I am getting the result as 1422965960 instead of time, Can some one suggest? getting either ways should be fine.
0 Karma

woodcock
Esteemed Legend

You can add | addinfo to your search and use $result.whatever$ where whatever is the field from addinfo or another one that you generated (formatted) from those it adds.

0 Karma

helenashton
Path Finder

How do you do this but not display the info in the report?
I want to be able to do this for the email subject line for both a scheduled report and a scheduled dashboard.

0 Karma

woodcock
Esteemed Legend

You cannot.

0 Karma

splunkcvc
New Member

I'm running 6.2.5
To be clear the issue is happening with only dashboards converted to pdf format and emailed via pdf delivery option.

I think the issue with splunk's dashboard mode because there's multiple panels it doesn't know where to grab a timestamp value.

Unlike saved searches and reports the there's only 1 time stamp value being passed.

0 Karma

cramasta
Builder

what version are you running? Only the more recent versions of splunk allow you to include these tokens.
When changed the subject line to be
Splunk Report: $job.earliestTime$
I got the following in my email subject line
Splunk Report: 2015-02-04T22:30:00.000+00:00
I am running 6.1.5

0 Karma

marellasunil
Communicator

Hi Cramasta,
I am also using splunk 6.1.5
when I am running below details in search I am getting the date in subject line
Query :
sendemail to=XXXXX@splunk.com server=XXXXXXXXXXXXXXX subject="failures between $job.earliestTime$ and $job.latestTime$" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

But when I am running the query in app (We have created seperate app for alerting), I am getting empty results. Do I need to do any modification in the app to get the exact result? I mean I have enabled "send email" option in the alert setting.

0 Karma

David
Splunk Employee
Splunk Employee

Have you tried walking through the workflow in the save alert screen, as opposed to using sendemail? I would not expect there to be a different behavior there, but given that it should work...

0 Karma

marellasunil
Communicator

Hi David,
Yes, I have. When I use "$trigger_time$" in the subject line field, It is working (Getting results as 1422965960 instead of date) but when I am using $job.earliestTime$ i am getting empty.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...